"Gosney said he plans to “make a bit of money” off his invention, either by renting out time on it or by offering it as a paid password recovery and domain auditing service. “I have way too much invested in this to not get some kind of return out of it,” he wrote."
No bit coins there.Grant
Darwin NT

Interesting article. Gives rise to a serious debate on this. I noted that the article refers to wordlist, dictionary & brute force attacks.

So what if no dictionary or wordlist used to create a password, what would it take to crack?

For example, I use an 18 character alpha numeric one that doesn't use any words as such or any other obvious one like D.O.B etc.

Well.. alpha numeric, 18 characters. If you want to brute force it, then you have a-z, A-Z, 0-9. 26+26+10=62. 62 possibilities for each of the 18 characters, which means 62^18, 1.83e+32 possibilities. If we go conservative and say 10 million attempts/second, you're still looking at 1.83e+25 seconds (581,090,538,308,693,755 years).

Longer passwords take much..much longer to brute force. The addition of each character literally makes it exponentially more difficult, and mixing upper and lower case with digits and special characters increases the complexity immensely, mostly because you don't know what special characters are permitted. You could assume all the ones you see on the keyboard, but what if there were some UTF-16 characters, like the alt+code characters. Then you could quite literally be talking about 16384^[length of password].

Of course you then have alternative methods of cracking some passwords, especially hashed ones, by the use of rainbow tables, which in some cases can significantly reduce the amount of time needed to brute force a password.Linux laptop:
record uptime: 1511d 20h 19m (ended due to the power brick giving-up)

If we go conservative and say 10 million attempts/second, you're still looking at 1.83e+25 seconds (581,090,538,308,693,755 years).

A bit too conservative.
"In a test, the researcher’s system was able to churn through 348 billion NTLM password hashes per second."

"With 348 billion NTLM per second, this means we could rip through any 8 character password (95^8 combinations) in 5.5 hours."

Of course you then have alternative methods of cracking some passwords, especially hashed ones, by the use of rainbow tables, which in some cases can significantly reduce the amount of time needed to brute force a password.

Yep, with GB of RAM & TB of storage available rainbow tables allow huge reductions in cracking times over a pure brute force attack.Grant
Darwin NT

When I heard the most common password used today is "password" I thought boy people are so silly .

SO how long would that box take to crack if that box was doing billions of combinations a second ???? and what about if you had a couple of them doing it at the same time ???
my math isn't that good so i'll leave it to others to work out

Alright, re-adjusting 62^18 for 348 billion/second, 16,698,003,974,387 years. Cuts it down a lot.

As for 'password' being brute-forced.. 26^8 divided by 348B/sec = 0.600077771 seconds. Of course, a simple word like "password" would definitely be in a dictionary, but before even trying any sort of expensive cracking methods.. most smart people would just simply try that manually first. :)

I've dabbled in trying to recover some ZIP archive passwords before, and you always start with all lower-case and a maximum of 8 characters first. On an old P3 machine, I let it run for two weeks and it only made it to 5 or 6 characters, and the high-order character (left-most) was I think a C or a D. Dictionaries are the first thing you should try, and a really good dictionary can still be 10-15GB of possibilities. I actually have a dictionary on a flash drive that is 2.7GB.. and it is just a simple text file.Linux laptop:
record uptime: 1511d 20h 19m (ended due to the power brick giving-up)

But what would the bandwidth from the cracker to the crackee have to be to even allow 348 billion password attempts per second on a 18 digit password?

Isn't the limiting factor in this case simply the fact that you can't push data into the pipe fast enough, no matter how fast you try? Or are we assuming that one is trying to crack a file which is small enough to actually maintain in RAM on the GPU's themselves for each GPU to work on?

It's not online crack.
It assume the cracker got the encrypted pasword's file and is trying to find which unencrypted text match the ones on the file.
Brute force attacks can't be done online because most of the systems block the accounts after a very few failed attempts...

Say someone got ahold of my login for work. If you attempt and fail the PW 3 times it locks the system id and forces one to get an admin reset. Assuming this is a standard practice for accounts and private files it seems slamming out a PW wouldn't be possible unless the system allowed such behavoir.In a rich man's house there is no place to spit but his face.
Diogenes Of Sinope

Say someone got ahold of my login for work. If you attempt and fail the PW 3 times it locks the system id and forces one to get an admin reset. Assuming this is a standard practice for accounts and private files it seems slamming out a PW wouldn't be possible unless the system allowed such behavoir.

Thats how it is where I work 3 tries and then its IT's turn to reset. And they dont work 3rd shift.
Thats aslo how AOL works. [/quote]

of course this it's not like there are some sloppy IT guys that don't care and possibly allow something like this. However, most decent Workplaces and I assume secure sites wouldn't allow the constant pounding without someone being alerted to the massive attack attempts at gaining access to a persons accountIn a rich man's house there is no place to spit but his face.
Diogenes Of Sinope

Even if there was no disabling of an account after so many unsuccessful login attempts, there's the issue of network latency. Even if this GPU monster could check billions of combinations a second, good luck with hitting that remote system at that rate. You'd probably end up with under 100 per second, maybe not even close to that.

It would be ok if the login in question was on a PC or HDD that someone had it on hand and could slam at it while it was connected to the beast.In a rich man's house there is no place to spit but his face.
Diogenes Of Sinope